cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
517
Views
0
Helpful
3
Replies

ASA to ASA VPN Can not ping

zprzpr163
Level 1
Level 1

I meant a strange problem.

The toplogy is below:

top.jpg

I have set up two IPSEC VPN ,  "106.0" to "53.0" is strange:

I can't ping 172.29.53.13 from "106.0",but can ping other IPs. Meantime, 172.29.53.13 can't ping any IPs in "106.0".

"21.0" to "53.0" is ok

Here is the configuration:

"106.0"

access-list vpnnonat extended permit ip 172.29.106.0 255.255.255.0 172.29.53.0 255.255.255.0

access-list vpnhkpolylite extended permit ip 172.29.106.0 255.255.255.0 172.29.53.0 255.255.255.0

nat (inside) 0 access-list vpnnonat

crypto ipsec transform-set myvpn2 esp-3des esp-md5-hmac

crypto ipsec transform-set remvpn esp-3des esp-md5-hmac

crypto ipsec transform-set myvpn esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 2000 set transform-set remvpn

crypto map vpnmap 200 match address vpnhkpolylite

crypto map vpnmap 200 set peer 202.64.111.3

crypto map vpnmap 200 set transform-set myvpn2

crypto map vpnmap 2000 ipsec-isakmp dynamic dynmap

crypto map vpnmap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

tunnel-group 202.64.111.3 type ipsec-l2l

tunnel-group 202.64.111.3 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 300 retry 2

----------------------------------------------------------------------------------

"53.0"

access-list vpnnonat extended permit ip 172.29.53.0 255.255.255.0 172.29.106.0 255.255.255.0

access-list vpnmaxdo extended permit ip 172.29.53.0 255.255.255.0 172.29.106.0 255.255.255.0

nat (inside) 0 access-list vpnnonat

crypto ipsec transform-set myvpn2 esp-3des esp-md5-hmac

crypto ipsec transform-set myvpn esp-3des esp-sha-hmac

crypto ipsec transform-set remvpn esp-3des esp-md5-hmac

crypto dynamic-map dynmap 65535 set transform-set remvpn

crypto map outside_map1 100 match address vpnmaxdo

crypto map outside_map1 100 set peer 116.247.86.170

crypto map outside_map1 100 set transform-set myvpn2

crypto map outside_map1 65535 ipsec-isakmp dynamic dynmap

crypto map outside_map1 interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 116.247.86.170 type ipsec-l2l

tunnel-group 116.247.86.170 ipsec-attributes

pre-shared-key *

--------------------------------------------------------------------------------------------

Is there anything else need to check ?

Kindly wait for the solution.

3 Replies 3

anshubathla
Level 1
Level 1

take a capture on "53.0" for the network  172.29.53.13 on the interafce on which this network resides and  paste the results.

malshbou
Level 1
Level 1

what is 172.29.53.13 assigned to ?

------------------
Mashal Alshboul

------------------ Mashal Shboul

It is a server , with server 2003.